Download the Migration Tool

Overview

The Palo Alto Networks Migration Tool is derived from the successful Migration Tool used by the Palo Alto Networks Professional Services Organization and Channel Partners. It’s an evolution of the Migration Tool into a configuration platform that allows you to, not only migrate configurations, but enhance, optimize, add, remove or edit elements, ultimately converting the legacy device rules into a next-generation model by creating App-IDs based on real traffic acquired from devices being installed or already in production. The Palo Alto Networks Migration Tool is a valuable asset for network security administrators who need or want to keep their rulebases in a pristine state.

Note: The Migration Tool is packaged as a virtual machine image. The download file is a zipped tar archive and the size is approximately 760MB.

Palo Alto Networks Community Members with Support Accounts

Community members who have a valid support account can download Migration Tool 3.3 (ensure you're logged on at the top of this page before attempting the download)

Don't Have a Support Account?

Please be aware the Migration Tool is provided as is, and is unsupported by our TAC. Assistance can be garnered through the Migration Tool Discussion Forum or by an onsite Professional Services Engineer, through your local sales contact.

I was able to get PMT3 running on both my VMware Workstation and ESXi5.5 (use VMware Converter Standalone Ed. to convert the VM to ESXi5.5).

However, when I try to import the SRX config file (output via "show config | display xml | no-more"). It keep saying "XML is invalid. (Tip:Remove attributes from configuration tag)". I added <Configuration> and </Configuration> on first and last line. It is still invalid.

How can I do this? "

The file has to start with tag configuration without attributes and end closing the configuration tag"

I found I must use "show configuration | display xml | save my-srx-config-file.xml" then scp the file out the SRX. If I do "show configuration | display xml | no-more" then capture the text output. It will NOT show up as a XML complaint file. When I compare two output, they are different. I can read the SRX config into MT3 now.

I've downloaded and used the command tar -zxvpf PanMigrationTool3i.tgz touncompress the file on my Mac running VMFusion. But when I attempt to open the uncompressed PAN_Migration_Tool_Minimal instance I get 'VMX file is corrupt'. I've tried twice now and both times get the same error. Any ideas?

please if after use "tar -xvzf PanMigrationTool3i.tgz" and then with fusion 6 or later you are not able to run the vm please download the vm again, its working for a lot of people, maybe the download was corrupted, please confirm if this works for you

I've tried multiple times now, with Safari, Chrome, and Firefox browsers and all downloads give me the same result that the VMX file is corrupt. I've tried downloading as a community user and as a non-community user both with the same result the file is corrupt. I am using VM Fusion 7. I've stopped and started VM Fusion and that has not worked either.

Im so sorry to hear that. Can you confirm that, once you have uncompressed the file and you get the folder PAN_Migration_Tool_Minimal you open the VMfusion 7, click on File -> Open and then Select the FolderPAN_Migration_Tool_Minimal and click on Open. tell me if then you get the error or opens the VM please, Can you send us an screenshot with the error?

I have an ASA at 8.2 which is right below the version supported by the Migration tool 3 we don't want to upgrade it because we'd need to rebuild the NAT's and a whole host of other things in order to upgrade and then probably have to do it again when migrating to the PA-3020. According to the notes/Docs we should use the migration tool version 2.5 import it into that, export it from there and then into the 3.0. So the question is where can I get version 2.5?

Also as a side note I tried to import the asa config into the 3.0 migrator. But I get a lot of errors with the IP service where it doesn't recognize the service. How do I go about resolving that?

The Old migration tool 2.5 can import only a selection of static nats. Only when the nat is created as "static (zone,zone) xxx xxxx" without any reference to interfaces or access-list.

Remember the Migration Tool its only a part of a migration project where Technology, Process and People an required to achieve that, the Tool is obviously the Technology but in order to migrate you need to have the right process and people with knowledge to do that and help to cover the things that the tool doesn't do automatically today.

I just downloaded it from the site I didn't have any problem downloading it will my anti-virus. Maybe just disable your anti-virus so you can download it, it is a valid download since it is coming from palo alto website. Hope that helps.

I found I must use "show configuration | display xml | save my-srx-config-file.xml" then scp the file out the SRX. If I do "show configuration | display xml | no-more" then capture the text output. It will NOT show up as a XML complaint file. When I compare two output, they are different. I can read the SRX config into MT3 now.

just an FYI, finally found success getting past the "invalid xml" error. First I followed the above steps, but even with this file I was still receiving the invalid xml errors which annoyed the heck outta me.

Steps to take:

-find and remove any junos:comments like the line shown below. Seems the MT performs an XML validation and it does not understand the syntax of these tags.

<junos:comment>/* randomcomment */</junos:comment>

-start a new project: don't continue to use a failed import as it seems somethings gets stuck in the MT and it cannot get past it. After starting a new project with the edited xml file the MT imported and converted the migrated SRX policies.

we have the tool installed on a centos 2vcpu and 2gb RAM. Is that the ideal specifications for the VM ? Everytime i use the tool for app-id adoption, when i try to retreive the application from the panorama(using it as a log collector) it just freezes. Any idea ?